cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1687
Views
0
Helpful
7
Replies

Loopback on 515E

booger2000
Level 1
Level 1

First of all, I am very much a newbie so please bear with me.  And talk very slowly.   I have a 515E router with NAT setup.  Internal IPs look like 172.16.10.x and external IPs look like 208.119.81.x.  Our DNS is setup inside the network (so I can't setup an alias - right?).  I have one application running on an internal server that needs to be accessed by both outside and inside the network.  This application needs to be accessed via the external IP address.  Everything works great outside the network but, of course, the application cannot be accessed from within the network via the external IP.  I've tried searching for some type of resolution to this problem and keep coming across setting up a loopback.  Is it even possible to setup a loopback on a 515E?  If so, how do I go about doing that? Would setting up a loopback solve my problem?  Any other suggestions on how to accomplish this?  Thanks!

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

you mean PIX 515E i guess. it's a firewall not a router, therefore you can't create loopback interface.

Depending on which version of PIX you are currently running, if it's version 7.x or higher, then you can configure the following:

same-security-traffic permit intra-interface

static (inside,inside) 208.119.81.x 172.16.10.x netmask 255.255.255.255

Then assuming that you have "nat (inside) 1 0 0", then configure the following:

global (inside) 1 interface

Hope that helps.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

you mean PIX 515E i guess. it's a firewall not a router, therefore you can't create loopback interface.

Depending on which version of PIX you are currently running, if it's version 7.x or higher, then you can configure the following:

same-security-traffic permit intra-interface

static (inside,inside) 208.119.81.x 172.16.10.x netmask 255.255.255.255

Then assuming that you have "nat (inside) 1 0 0", then configure the following:

global (inside) 1 interface

Hope that helps.

Thanks for the quick response!  Yes, I mean a Pix 515E.  We are running v6.3.  Below is a copy of configuration.  I believe we already have what you suggested.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password x encrypted

passwd x encrypted

hostname x

domain-name x

fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.90.0 255.255.255.0

access-list NONAT permit ip 172.16.90.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list NONAT permit ip 172.16.29.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.29.0 255.255.255.0

access-list NONAT permit ip 172.16.29.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT permit ip 172.16.20.0 255.255.255.0 172.16.29.0 255.255.255.0

access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list 102 permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list 200 permit ip 172.16.90.0 255.255.255.0 any

access-list 200 permit tcp 66.18.176.0 255.255.240.0 any eq ssh

access-list 200 permit tcp 165.139.139.0 255.255.255.128 any eq ssh

access-list 200 permit icmp any any

access-list 200 permit tcp 64.20.64.0 255.255.240.0 any eq ssh

access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x

access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x

access-list 200 permit tcp host 66.55.55.66 host 208.119.81.x

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x

access-list 200 permit tcp host 66.55.55.66 host 208.119.81.x eq 5900

access-list 200 permit tcp 165.139.139.0 255.255.255.128 host 208.119.81.x

access-list 200 permit tcp 165.139.139.0 255.255.255.128 host 208.119.81.x

access-list 200 permit tcp any host 208.119.81.x eq 3389

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq 3389

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq 3011

access-list 200 permit tcp any host 208.119.81.x eq 1911

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq 3389

access-list 200 permit tcp host 64.20.65.84 host 208.119.81.x

access-list 200 permit tcp any host 208.119.81.x eq smtp

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq www

access-list 200 permit tcp any host 208.119.81.x eq https

access-list 200 permit tcp any host 208.119.81.x eq 444

access-list 200 permit tcp host 98.172.95.4 host 208.119.81.x

access-list 200 permit tcp any host 208.119.81.x eq 8080

access-list 200 permit tcp 192.206.158.0 255.255.255.0 host 208.119.81.x

access-list 101 permit ip 172.16.29.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list 101 permit ip 172.16.10.0 255.255.255.0 172.16.29.0 255.255.255.0

pager lines 20

logging on

logging timestamp

logging standby

logging console alerts

logging monitor alerts

logging buffered notifications

logging history notifications

logging queue 4096

mtu outside 1500

mtu inside 1500

ip address outside 208.119.81.x 255.255.255.224

ip address inside 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn-pool 172.16.90.1-172.16.90.254

pdm history enable

arp timeout 14400

global (outside) 1 208.119.81.x

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 208.119.81.x 172.16.10.31 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.21 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.20 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.23 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.24 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.25 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.22 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.18 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.19 dns netmask 255.255.255.255 0 0

static (inside,outside) 208.119.81.x 172.16.10.9 dns netmask 255.255.255.255 0 0

access-group 200 in interface outside

route outside 0.0.0.0 0.0.0.0 208.119.81.x 1

route inside 172.16.19.0 255.255.255.0 172.16.10.49 1

route inside 172.16.20.0 255.255.255.0 172.16.10.4 1

route inside 172.16.29.0 255.255.255.0 172.16.20.49 1

route inside 172.16.90.0 255.255.255.0 172.16.10.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 63.66.232.243

crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 102

crypto map transam 2 set peer 63.118.117.178

crypto map transam 2 set transform-set chevelle

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet 172.16.10.11 255.255.255.255 inside

telnet 172.16.10.19 255.255.255.255 inside

telnet timeout 10

ssh 66.18.176.0 255.255.240.0 outside

ssh 165.139.139.0 255.255.255.128 outside

ssh 206.137.30.0 255.255.255.0 outside

ssh 63.118.117.0 255.255.255.0 outside

ssh 172.16.10.0 255.255.255.0 inside

ssh timeout 50

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication chap

vpdn group 1 client configuration address local vpn-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username x password *********

vpdn enable outside

terminal width 80

Cryptochecksum:dc955b59828d03ce0cefeb40c333be19

: end

No, the configuration does not have what i have suggested earlier, however, it is not supported anyway in the previous version as traffic will be coming in and out of the same interface which is not supported in version 6.3.

Darn!  Do you see any other solution?

Unfortunately no with that version of software. Unless you can play with the DNS, ie: when it's accessed from internal network, to be resolved to its private ip address.

Hello,

Upgrade the code to 7.2 and beyond and then configure U-turn as suggested by

hal.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a00807968c8.shtml

Regards,

NT

Thanks to everyone for all the responses.  I think the easiest way to resolve this problem is to assign a host name to the program we need access to.  I was trying to avoid this because an outside vendor needs to get involved but at this point that's what needs to be done.  Thanks again!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: